CrowdSec Agent
Local detection, global remediation

CrowdSec Agent defends against intrusions by analyzing logs to identify and block offending IPs. Flagged IPs are then sent to the community blocklist to protect the Crowd.
Get started for freeGet started for free
How it works
lightweight
easy and fast to use
bouncer
01/04

Real-time detection of suspicious traffic & behavior

CrowdSec Agent, the open-source intrusion prevention system written in Go, protects against attacks on any server by parsing real-time service logs (servers, SSH, WordPress etc. logs) by detecting malicious  behaviors.


  • A variety of scenarios to detect attacks: bruteforce, HTTP attacks, scans, L7 DDOS, website scalping/scrapping etc.
  • Compatible with most OS (Linux/BSD/Windows),  all popular servers (Nginx, Apache, Traefik, Caddy etc.), container-type setups
  • Can be used at the application level with WordPress, Magento, or any PHP or Python-based website
02/04

Our bouncer blocks cyberattacks

CrowdSec Agent comes with a remediation component, called "bouncer", to act on identified threats. The bouncer interfaces with firewalls to ban or block nefarious IPs. It will also consume the community blocklist to preventively block IPs that have been shared by CrowdSec users.

  • Compatible with most firewalls (Iptables, Nftables), application firewalls (Cloudflare, AWS WAF) or dedicated OS (OPNSens)e
  • Decoupled from the detection mechanism for flexible setups where detection is done on one machine, while remediation is achieved on other machines
  • Customizable. Custom bouncers can be created to execute any script, depending on your use case
03/04

Community-fueled blocklist

CrowdSec uses the power of the crowd to maintain and distribute IP blocklists to preventively block intrusions. Based on the gathered behavior patterns, the service can assess the reputation of an IP address in real time.

  • Our curation mechanism ensures the reliability of the blocklists sent back to users. Combining a trust rank mechanism, behavior, our own honeypot network and a whitelist, the consensus engine ensures blocklists contain only "shoot-on-sight" IP addresses.
  • IP threat level is evaluated in stream processing, based on sightings from the CrowdSec network
  • This highly dynamic system ensures that blocklists contain no false positives or poisoning attempts, allowing your IPS to focus on really dangerous IPs.
04/04

Open source since day 1

Open-sourcing the CrowdSec Agent is critical to guarantee full transparency, quality and reliability to our users, while offering the community the opportunity to contribute at the code base.

  • Open-sourced under the MIT license, the most permissive in the world
  • We welcome contributions from the community whether it is to enhance the code base of Agent or to create new attack detection scenarios, bouncers or ports on new platforms.
  • The CrowdSec Hub centralizes all detection scenarios, bouncers or collections developed by the CrowdSec team and the community. Check it out for the latest updates!

How the CrowdSec Agent works

The feed can be consumed by your firewall or any existing remediation mechanism.

Why use our Agent

Reduce intrusions by 90%

By using CrowdSec Agent, users noticed a 90% drop in intrusion attempts on their online services, due to the community blocklist containing a curated list of aggressive IPs.

Eliminate alert fatigue with 0 false positive

By preventively blocking aggressive IPs, and Internet background noise, SOC teams and security analysts can focus on alerts that matter.

Seamless setup

CrowdSec Agent was developed to fit the needs of modern IT setups. Working with all popular server OS, containers, servers and applications, Agent is easy to set up and integrates effortlessly with your CI/CD process.

CrowdSec Agent in few figures

CrowdSec has quickly grown to become the biggest crowd-powered CTI network.

11M

Rogue IPs in the CTI database

30K

"Shoot-in-sight" IPs in the blocklist

16M

Signals/day received from the community

+60K

Machines contributing to the CTI

Why use our Agent

Reduce intrusions by 90%

By using CrowdSec Agent, users noticed a 90% drop in intrusion attempts on their online services, due to the community blocklist containing a curated list of aggressive IPs.

Eliminate alert fatigue with 0 false positive

By preventively blocking aggressive IPs, and Internet background noise, SOC teams and security analysts can focus on alerts that matter.

Seamless setup

CrowdSec Agent was developed to fit the needs of modern IT setups. Working with all popular server OS, containers, servers and applications, Agent is easy to set up and integrates effortlessly with your CI/CD process.

Run the Agent effectively on multiple platforms

OS

Linux
Linux
Coming soon
FreeBSD
FreeBSD
Coming soon
Windows
Windows
Coming soon
Open WRT
Open WRT
Coming soon

Services

Iptables
Iptables
Coming soon
Nftables
Nftables
Coming soon
Nginx
Nginx
Coming soon
Apache
Apache
Coming soon
Caddy
Caddy
Coming soon
PF
PF
Coming soon
Traefik
Traefik
Coming soon

Data sources

AWS Cloudwatch
AWS Cloudwatch
Coming soon
Amazon Kinesis
Amazon Kinesis
Coming soon
Docker
Docker
Coming soon

Platforms

Cloudflare
Cloudflare
Coming soon
AWS
AWS
Coming soon
Docker
Docker
Coming soon
See full list

Discover how companies are using our CTI

Select
Tab1
Tab2
Tab3
Tab4
esyoil is using CrowdSec Agent to bring multiple data sources together and block bad IPs before they even act, leveraging log analysis.
John DOE
 - 
CEO at Acme Inc.
Read use case
EsyOil
Yannick Siegler has been one of our earliest adopters and most involved community members. Discover his CrowdSec Agent use cases, both personal and professional.
John Doe
 - 
CEO at Acme Inc.
Read use case
Siegler Informatique
We had a chat with Dyllan Pascoe, co-founder of Lookopen. Find out how he used CrowdSec Agent and how it helped him secure his clients' IT assets.
John DOE
 - 
CEO at Acme Inc.
Read use case
Lookopen

Get started with CrowdSec today

Install an agent
Select
Debian / Ubuntu
RHEL / CentOS / Amazon Linux
Debian (legacy)
Docker
FreeBSD
Tarball

$ curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
$ sudo apt-get install crowdsec

COPY CODE
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

$ curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.rpm.sh | sudo bash
$ sudo yum install crowdsec

COPY CODE
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

$ sudo apt-get install crowdsec

COPY CODE
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

$ docker run -d -v acquis.yaml:/etc/crowdsec/acquis.yaml -e COLLECTIONS="crowdsecurity/sshd" -v /var/log/auth.log:/var/log/auth.log -v /path/mycustom.log:/var/log/mycustom.log --name crowdsec crowdsecurity/crowdsec

COPY CODE
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

# pkg install crowdsec

COPY CODE
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

$ wget -qO - https://github.com/crowdsecurity/crowdsec/releases/latest/download/crowdsec-release.tgz | tar zxvf -
$ cd crowdsec-v* && sudo ./wizard.sh -i

COPY CODE
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
See the GitHub repository

DIVE INTO CROWDEC’S UNIVERSE

Get started with
the Console today
Take a product tour